CVE-2025-62799 is a heap-based buffer overflow vulnerability classified under CWE-122, affecting eProsima Fast-DDS, a C++ implementation of the OMG DDS standard used for real-time data distribution in distributed systems. The flaw exists in the DATA_FRAG receive path where the code processes RTPS DATA_FRAG packets. An unauthenticated attacker can send a single malformed packet with carefully crafted fragmentSize and sampleSize values that violate internal assumptions. During fragment metadata initialization, a 4-byte alignment step causes the code to write beyond the allocated payload buffer's boundary. This results in a heap buffer overflow that can cause an immediate crash (denial of service) and potentially memory corruption, which may be exploited for remote code execution. The vulnerability affects versions prior to 3.4.1, 3.3.1, and 2.6.11. The CVSS v4.0 base score is 7.2, reflecting network attack vector, low attack complexity, no privileges or user interaction required, but partial impact on confidentiality, integrity, and availability. No known exploits have been reported in the wild yet. The vulnerability is critical for systems relying on Fast-DDS for real-time communication, especially in industrial, automotive, and defense sectors where DDS is prevalent.

For European organizations, this vulnerability poses significant risks especially in sectors relying on real-time distributed communication such as automotive manufacturing, industrial automation, aerospace, and defense. Exploitation can lead to denial of service, disrupting critical operations and potentially causing safety hazards. More severely, the possibility of remote code execution could allow attackers to take control of affected systems, leading to data breaches, espionage, or sabotage. Given that Fast-DDS is used in safety-critical and mission-critical systems, the impact on operational continuity and data integrity could be substantial. The unauthenticated nature of the exploit increases the threat surface, as attackers do not need credentials or user interaction. This elevates the urgency for European organizations to assess their exposure and apply patches promptly to avoid operational disruptions and security breaches.

European organizations should immediately identify all deployments of eProsima Fast-DDS and verify the versions in use. Systems running versions prior to 3.4.1, 3.3.1, or 2.6.11 must be upgraded to the patched versions without delay. Network segmentation and strict firewall rules should be applied to limit exposure of Fast-DDS services to untrusted networks. Employing intrusion detection systems (IDS) with signatures or anomaly detection for malformed RTPS DATA_FRAG packets can help detect exploitation attempts. Additionally, implementing runtime protections such as heap overflow mitigations (e.g., ASLR, DEP) and continuous monitoring for crashes or unusual behavior in Fast-DDS components is recommended. For environments where immediate patching is not feasible, consider disabling or restricting the use of the DATA_FRAG feature or isolating affected systems until updates can be applied. Vendor coordination for timely updates and security advisories should be maintained.